b'     1.\n\n372318\nOffice of Inspector General\n\n\n            Testimony of Bruce N. Crandlemire, Assistant Inspector General for Audit\n                           U.S. Agency for International Development\n\n                            Submitted to the Committee on Government Reform\n                                       U.S. House of Representatives\n\n            No Computer System Left Behind: A Review of the Federal Government\xe2\x80\x99s\n                              D+ Information Security Grade\n\n                                             April 7, 2005\n\n\nMr. Chairman and other Committee members:\n\n        Thank you for the opportunity to provide testimony on the U.S. Agency for International\nDevelopment\xe2\x80\x99s (USAID) compliance with the Federal Information Security Management Act of\n2002 (FISMA). As you have requested, my testimony will focus on the state of information\nsecurity at USAID and the methodology we used to perform our fiscal year 2004 FISMA audit.\nIn addition, I will discuss the need for a standardized FISMA auditing framework and what\nadditional guidance is needed for agencies to fully comply with FISMA.\n\n\nSTATE OF INFORMATION SECURITY AT USAID\n\n        USAID has made many positive strides over the last few years in addressing information\nsecurity weaknesses. In particular, USAID has made several improvements in response to audits\nperformed by my office and, in turn, substantially improved its computer security program.\nAlthough there have been improvements in information security, USAID still faces several\nimportant challenges to refine its information security environment.\n\n        In 1997, the Office of Inspector General (OIG) identified information security as a\nmaterial weakness at USAID. USAID information technology officials agreed with our\nconclusion and included it in USAID\xe2\x80\x99s annual report as required by the Federal Managers\xe2\x80\x99\nFinancial Integrity Act. At that time, USAID did not have (1) an organizational structure that\nclearly delegated information security responsibilities, (2) policies that provided for an effective\ninformation security program, and (3) key management processes to ensure that security\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0c                                                2\n\n\n requirements were met. This material weakness remained outstanding for seven years until\nfiscal year 2004 when USAID concluded, and we agreed, that information security was no longer\na material weakness for the agency. As a result, information security at USAID today is a\ndifferent story than it was in 1997.\n        In recent years two of the most significant changes are the appointment of an Information\nSystems Security Officer and the implementation of a centralized information security\nframework. Under this framework, USAID (1) centrally manages its Windows 2000 domain\nservers, firewall, and virus scan software for most of USAID\xe2\x80\x99s networks; (2) instituted a process\nto assess information systems security for the purchase of capital assets; and (3) is continually\nupdating its information security policies and procedures.\n\n      The Agency has also initiated several significant technological changes to improve its\ncomputer security. For example, USAID has done the following:\n\n   \xe2\x80\xa2\t Deployed Windows 2000, which has allowed the Agency to lock down configured\n      security settings and incorporated many security improvements in comparison to\n      Windows 98.\n   \xe2\x80\xa2\t Installed operating network sensors to help detect unauthorized attempts to access \n\n      USAID\xe2\x80\x99s network. \n\n   \xe2\x80\xa2\t Run daily scans of its worldwide network to proactively identify potential vulnerabilities\n      in its network. Based on the results of the scans, the Agency\xe2\x80\x99s Information Systems\n      Security Officer has been issuing monthly grades, similar to the grades listed in FISMA\xe2\x80\x99s\n      annual report card, to its overseas missions.\n   \xe2\x80\xa2\t Implemented \xe2\x80\x9cTips of the Day\xe2\x80\x9d, which is an automated information security awareness\n      program that provides security reminders to all system network users each day as a\n      prerequisite to network login.\n\n       Through these system-wide information technology policy and network changes,\ninformation security and information security awareness at USAID\xe2\x80\x99s locations around the world\nhave been significantly increased.\n\n       Although USAID has made substantial progress in improving information security,\nweaknesses still remain. As reported in our fiscal year 2004 FISMA audit report, the Agency\nhad not developed disaster recovery plans for three major systems and had not tested disaster\nrecovery plans for two other major systems. This represents a significant vulnerability because\nUSAID is not fully prepared for an emergency event. To a lesser degree USAID also needs to:\n\n    \xe2\x80\xa2\t Improve its information resource management processes, such as the full implementation\n       of information technology program management and oversight practices.\n    \xe2\x80\xa2\t Improve several management controls, such as outdated virus definitions, the installation\n       of unauthorized software on employee computers, and the inconsistent updating of\n       security software patches to individual computers.\n    \xe2\x80\xa2\t Test the effectiveness of USAID\xe2\x80\x99s security awareness program.\n\x0c                                               3\n\nMETHODOLOGY AND RESOURCES USED FOR THE FISMA AUDIT\n\n        The OIG approach to assessing USAID information security under FISMA was to\nconduct an audit as opposed to an evaluation. Our audit addressed all the reporting requirements\nof the Office of Management and Budget\xe2\x80\x99s (OMB) reporting template and the FISMA\nrequirements.\n\n        In fiscal year 2004, the audit fieldwork was conducted from August 19 through\nOctober 6, 2004, and involved 610 staff hours. In addition, we relied on other audits\n(e.g., general control and Phoenix financial system audits) to support and compliment our\nFISMA fieldwork. For example, the fiscal year 2004 general control audit, which involved\nreviewing security controls of USAID\xe2\x80\x99s financial systems (in most cases, the same systems\nreviewed for FISMA), involved 2,843 staff hours. This audit included reviewing USAID\xe2\x80\x99s\nsystems in Washington and at 12 overseas missions.\n\n        Our goal was to not only validate USAID\xe2\x80\x99s responses to OMB\xe2\x80\x99s questionnaire, but to\nalso verify actions that USAID had taken to comply with FISMA. By verifying USAID\xe2\x80\x99s\nanswers to OMB\xe2\x80\x99s reporting template, we could conclude where the Agency stood in terms of its\ncompliance with FISMA.\n\n         Systems covered by the audit included the Washington financial system, the Missions\nfinancial system, the contract and procurement system, USAID\xe2\x80\x99s network system, and the Office\nof Foreign Disaster Assistance\xe2\x80\x99s network system. In addition to covering systems operated by\nUSAID, we also determined whether the Agency had obtained security assurances for three\nsystems operated by third parties: the payroll system operated by the National Finance Center,\nthe letter of credit system operated by the Department of Health and Human Services, and the\nloan management system operated by Riggs Bank.\n\n       To perform the audit, we interviewed USAID officials to discuss their answers to OMB\xe2\x80\x99s\nquestionnaire and then requested support for their answers. Types of source documents that we\nreviewed included: certification and accreditations for Agency and third party-operated systems,\nreviews of contractor facilities, reports to the United States Computer Emergency Team\n(USCERT) and internally generated security incident reports.\n\n       For each of USAID\xe2\x80\x99s 49 answers to the questionnaire, we determined whether the\nAgency\xe2\x80\x99s answer was supported by the source document provided and testimonial evidence. If\nan Agency answer was not supported, we brought that issue to management\xe2\x80\x99s attention. In the\nend, we agreed with 48 of the Agency\xe2\x80\x99s 49 answers. The one answer that we did not agree with\ninvolved whether the OIG had been included in the development and verification of the\nAgency\xe2\x80\x99s IT systems inventory.\n\nNEED FOR AN INSPECTOR GENERAL AUDITING FRAMEWORK FOR INFORMATION\nSECURITY\n\n        In my opinion, since OIG input into the FISMA process is used to grade security among\ncivilian agencies, there is an implicit assumption that there must be a defined common set of\n\x0c                                                4\n\n\nattributes to facilitate meaningful comparisons of independent evaluations/audits performed by\neach IG. Further, the establishment of these attributes or a common IG security auditing\nframework should be developed on a collaborative basis among the IG community (such as\nthrough the President\xe2\x80\x99s Council on Integrity and Efficiency forum), OMB and Government\nAccountability Office. Additionally, the framework should address the resources needed to\ncarry-out the development and implementation of the framework along with Congressional\nsupport for such an initiative.\n\n\nADDITIONAL GUIDANCE, PROCEDURES, OR RESOURCES NEEDED TO IMPROVE\nCOMPLIANCE WITH FISMA\n\nIn regards to OMB\xe2\x80\x99s FISMA questionnaire, there are two suggestions that we would like to\nmake:\n\n   2. Agencies and IGs need more time to respond to the annual OMB FISMA questionnaire.\n      Since 2002, time to respond to the questionnaire has decreased each year as follows:\n         \xe2\x80\xa2\t In 2002, under GISR, OMB issued its guidance (M-02-09) on July 2 and expected\n             responses by September 16\xe2\x80\x9476 days.\n         \xe2\x80\xa2\t In 2003, OMB issued its FISMA guidance (M-03-19) on August 6 and expected\n             responses by September 22\xe2\x80\x9447 days.\n         \xe2\x80\xa2\t In 2004, OMB issued its FISMA guidance (M-04-25) on August 23 and expected\n             responses by October 6\xe2\x80\x9444 days.\n\n   3. \t The Office of Inspector General is responsible for conducting the FISMA audits at three\n        micro-agencies: the Millennium Challenge Corporation, the African Development\n        Foundation, and the Inter-American Foundation. OMB has established an abridged\n        FISMA reporting format for micro-agencies (agencies with less than 100 Federal\n        employees). While helpful, small agencies with more than 100 Federal employees\n        struggle with responding to full FISMA requirements. This was noted by OMB in early\n        2005 and we understand that OMB is considering standardizing cyber security business\n        processes of agencies to save money, increase security, and help those agencies with\n        small IT budgets. In the future, OMB might want to consider not just employee numbers,\n        but also IT budgets in its definition of micro-agencies (e.g. agencies with less than 250\n        employees and IT budgets less than a certain dollar threshold).\n\nSUMMARY\n\n   In summary, USAID has made positive strides in addressing information security\nweaknesses, and our audits have confirmed the improvements. Although there is still work to be\ndone, USAID is on the right path.\n\n   Again, thank you for the opportunity to testify today. I will be happy to respond to any\nquestions you may have.\n\x0c'